AS-CRED: Reputation Service for Trustworthy Inter-domain Routing

Size: px

Start display at page:

Download "AS-CRED: Reputation Service for Trustworthy Inter-domain Routing"

Norman Jones
6 years ago
Views:

1 AS-CRED: Reputation Service for Trustworthy Inter-domain Routing Krishna Venkatasubramanian Computer and Information Science University of Pennsylvania ONR MURI N Review Meeting June 10, 2010

2 Overview Border Gateway Protocol Problems with BGP AS-CRED Behavior Analysis Reputation Computation Alert Generation Performance Analysis Conclusion and Future Work 11/4/09 ONR MURI Review 2

3 Border Gateway Protocol AS X p = /8 R1 R2 Autonomous Systems Address prefix owned by ASX p ASX p ASX AS Y R3 BGP Update (Announcement) p ASX, ASY p ASX, ASY R4 BGP Update (Withdrawal) AS Z 11/4/09 ONR MURI Review 3

Problems: Inaccurate BGP Updates Announcement of IP prefixes not owned by ASX or are bogons AS X R1 R4 AS Z Persistent and well-known problem p ASX p= 82.0.

4 Problems: Inaccurate BGP Updates Announcement of IP prefixes not owned by ASX or are bogons AS X R1 R4 AS Z Persistent and well-known problem p ASX p= /8 R2 AS Y R3 p ASX, ASY Reasons for occurrence: Blocking Content YouTube was unavailable for about 1 hour when its Prefix was hijacked by Pakistan Telecom AS Spamming AS 8717, an ISP in Sofia, Bulgaria, originated announcements for /8 May due to malicious intent or misconfiguration Inaccurate Updates Well-known Incidences Prefix hijacked Victim AS Attacker AS Dates / April 8, / March 15, / (YouTube) Feb. 24, / (ebay) November 30, / Jan. 13, /8 NULL 8717 Dec Jan / Dec Jan /4/09 ONR MURI Review 4

Problems: Unnecessary BGP Updates Repeated announcement and withdrawal of IP prefixes owned by ASX, or illegal AS values in update message p AS X R1 R2 R3 R4 AS Z Persistent and NOT well-known

5 Problems: Unnecessary BGP Updates Repeated announcement and withdrawal of IP prefixes owned by ASX, or illegal AS values in update message p AS X R1 R2 R3 R4 AS Z Persistent and NOT well-known problem Order of magnitude larger problem compared with prefix hijacking p ASX AS Y p ASX, ASY Principal suspected reason Misconfiguration of BGP router Unnecessary Updates Example: Prefix /24 announced and withdrawn 4824 times by AS37035 between Dec. 3, 2009 and Dec. 7, 2009, once every 1.5 minutes. Announcement of private AS numbers (e.g., AS65535) due to improper export policy filtering Prominent Incidences AS Prefix Dates RAW /24 Dec.3 Dec /24 Nov. 2 - Nov. 10, /30 Dec. 8 - Dec. 31, /24 Nov. 1 - Nov. 27, /4/09 ONR MURI Review 5

6 Feedback Approach Principal Question: How do we know if ASes are announcing valid updates? Update Validity: necessary and accurate Feedback Interaction Approach: Essentially a question of trust a subjective expectation on the behavior of an entity In this problem: Entity Autonomous Systems Behavior announcement of valid BGP updates Observation: ASes repeat their behaviors Past can be used to predict future Metric of choice: Reputation Phase I Evaluation of interaction Phase II f Reputation Function 11/4/09 ONR MURI Review 6

7 Goals Compute the reputation for Autonomous Systems in the Internet, by analyzing past BGP updates announced by them for their validity accuracy and necessity. Provide an alert service for tracking the subsequent announcement of potentially invalid BGP updates based on the computed reputation. Deploy as an publically available service for everyone to use. 11/4/09 ONR MURI Review 7

8 Traditional Approach BGP Update Invalidity Detection Prefix Hijacking Bogons Private AS Numbers Frequent Announcements and Withdrawals Control-plane Information Data-plane Probing Reputation Static Checking Karlin et. al 09 Qiu et. al 07 Lad et.al 04 Mahajan et. al 02 Xao et. al 02 X. Hu et. al 07 Zheng et. al 07 Zhang et. al 05 N. Hu et. al 07 Yu et. al 05 Implemented as a part of BGP route policy space Use Short-lived prefix announcements as basis for detection Consider them both malicious and misconfigured Provide alerts for potential hijacks Third-Party Feedback Dependent Requires Overlay Trust Network 11/4/09 ONR MURI Review 8

Traditional Approach BGP Update Invalidity Detection Control-plane Information Karlin et. al 09 Qiu et. al 07 Lad et.al 04 Mahajan et. al 02 Xao et. al 02 Prefix Hijacking X. Hu et.

al 05 Bogons Private AS Numbers Principal Issues: Data-plane Probing No Non-necessity Reputation check Static Checking No quantitative modeling of AS behavior tendencies High False

9 Traditional Approach BGP Update Invalidity Detection Control-plane Information Karlin et. al 09 Qiu et. al 07 Lad et.al 04 Mahajan et. al 02 Xao et. al 02 Prefix Hijacking X. Hu et. al 07 Zheng et. al 07 Zhang et. al 05 N. Hu et. al 07 Yu et. al 05 Bogons Private AS Numbers Principal Issues: Data-plane Probing No Non-necessity Reputation check Static Checking No quantitative modeling of AS behavior tendencies High False Positives Implemented as a part of BGP route policy space Frequent Announcements and Withdrawals Use Short-lived prefix announcements as basis for detection Consider them both malicious and misconfigured Provide alerts for potential hijacks Third-Party Feedback Dependent Requires Overlay Trust Network 11/4/09 ONR MURI Review 9

10 AS-CRED: Architecture BGP Activity Manager: Database for BGP updates Obtained from well-connected BGP data collectors AS-Behavior Analyzer: Analyzes the updates in BGP Activity Manager, based on a set of well-defined properties to detect invalidity The results of the analysis, is a feedback on the past behavior of ASes Reputation Manager: Computes the reputation of the ASes based on a well defined mathematical function Uses past behavior information in the form of feedback Reputation Portal: Once the AS reputations are computed it is made available through a web portal Alert Manager: Uses AS reputation, to trigger real-time alerts regarding potential invalidity of any new updates propagated within the Internet. AS-CRED Architecture 11/4/09 ONR MURI Review 10

11 Data Source: RouteViews Basically a group of BGP routers (AS 6447) peered with about 40 other ASes at crucial places Receives updates from the peers which it stores in its database without any filtering Maintains RIB dumping database: a prefix list with time-stamped information on origin and AS-path ASX 6447 ASY Route-Views does not originate any prefix or forward a received update message RIB dumping every two hours, update messages every 15 minutes Useful for analyzing past behaviors of ASes ASZ For every prefix visible to ASes X, Y and Z an entry exists in /4/09 ONR MURI Review 11

12 Behavior Analysis: Property I Observation: AS prefix bindings which are invalid usually last for a short period of time, i.e., they are unstable. M Length of Learning Window Aim: Detect AS-prefix bindings stability Need: Historical Information based analysis Analysis window (60 days learning window) Two complimentary metrics Prevalence percentage of learning window AS-prefix binding lasted Persistence average time an AS-prefix binding lasted M Time prefix (p) withdrawn by AS (M) Index of each announcement and withdrawal AS-prefix binding timeline Time prefix (p) announced by AS (M) 25% 15 % 25% Learning window = 60 days Total number of announcements and withdrawals Pr = 65%; Ps = ( )*60/3 = 13 days 11/4/09 ONR MURI Review 12

13 Property II & Feedback Initial Classification Prevalence Persistence Feedback Entry format AS prefix Timestamp of announcement Hi Hi Good Hi Lo Bad (Unnecessary) Ugly Lo Hi Good Lo Lo Ugly (Inaccurate) Feedback Type Bad Good Refinement Past Ownership and AS_PATH AS X Ownership of Prefix P AS X ownership of Prefix P Good Ugly P P Refinement 1 Bad AS X AS X AS U AS W AS W prefix P AS Y prefix P Refinement 2 Good Bad Ugly Current Ownership and AS_PATH 11/4/09 ONR MURI Review 13

14 Stability Threshold Feedback results in three sets: Good, Bad and Ugly Threshold needed to determine: What is Hi and Lo? Generated based on comparison with Internet Route Registries (IRR), the closest source to ground truth available Compare False Positive: entries in IRR found in Ugly set False Negative: entries not in IRR found in Good and Bad set Choosing Thresholds Value of choice: T Pr = 1% and T Ps = 10 hours 11/4/09 ONR MURI Review 14

15 Behavior Analysis: Property II Observation: BGP updates contain illegal values for ASes and the prefixes they announce Legal AS numbers Illegal AS numbers Illegal AS numbers: Example, those in the range of: , r X Y Z Bogons: Set of yet to be allocated prefixes receiver blamed announcer Feedback: Illegal AS numbers: First AS in the AS-PATH with a legitimate value blamed Update considered Unnecessary Bogons: The announcer is blamed Update considered Inaccurate r receiver Illegal AS Number X Y Bogon Announcement blamed Z Bogon announcer 11/4/09 ONR MURI Review 15

16 Reputation Computation AS-CRED computes untrustworthiness of ASes in announcing valid updates Reputation of an AS is computed based on Bad and Ugly feedback only Time-decay function Uses a time-decay function where X is either B or U h X is a half-life of behavior X t now is the current time t i is the feedback timestamp: Two reputation values created for each AS RepU characterizes an As s past inaccurate update announcement RepB - characterizes an As s past unnecessary update announcement t now Half-life: time by which the weight of the reputation of an AS is halved Set based on by when 75% of the ASes repeat their invalid updates Values: h U = 3 days, h B = 6 days t i 11/4/09 ONR MURI Review 16

17 Alert Generation Process Three Steps Process White-List Filtering: When a new update is received, we first checks to see if its corresponding AS-prefix binding (a, p) is in our white-list (G set) Initial State RepU of all ASes Good (White-List) Ugly Bad RepB of all ASes Alert Generation: If (a, p) are not in the white-list, we post an potential invalid Alert 2 Fetch Update 1 Search Good (White-List) Found Relabeling: Label updated to Unnecessary, if RepB(a) is poor or RepU(a) is poor with p p such that (a, p ) is in the white-list. Label updated to Inaccurate, if RepU(a) is poor with no p p such that (a, p ) is in the white-list T U RepU Alert: Inaccurate T B NOT Found Alert: Potential Invalid RepB + Refinement 1 Alert: Unnecessary Alert Generation 11/4/09 ONR MURI Review 17

18 Behavior Analysis (Nov 1, 09- Dec 30, 09) Property I: Unnecessary repeated updates far outnumber prefix hijackings or updates with illegal AS numbers Updates for prefix hijacking and illegal AS numbers instances are similar in scale Entries in the U set are exclusively prefix hijacking instances Property II: updates affected by illegal AS numbers leading to penalization of 134 ASes Zero instances of Bogons Repetitive poor behavior displayed, makes reputation a good metric for trust establishment Shows Number of entries in B and U set after the learning window. 11/4/09 ONR MURI Review 18

19 Behavior Analysis (Nov 1, 09- Dec 30, 09) Property I: Unnecessary repeated updates far outnumber prefix hijackings or updates with illegal AS numbers Updates for prefix hijacking and illegal AS numbers instances are similar in scale Entries in the U set are exclusively prefix hijacking instances Property II: updates affected by illegal AS numbers leading to penalization of 134 ASes Zero instances of Bogons Observation: Unnecessary updates a bigger problem in inter-domain routing compared to updates with Inaccurate information Repetitive poor behavior displayed, makes reputation a good metric for trust establishment Shows Number of entries in B and U set after the learning window. 11/4/09 ONR MURI Review 19

20 Quality of Behavior Analysis Inaccurate Updates U set stores instances of inaccurate updates prefix hijacking Inaccurate updates detected compared with Internet Alert Registry w.r.t. IRR 4 fold improvement in False Positives Unnecessary Updates B set stores instances of Unnecessary updates Unnecessary updates from repeated announcements and withdrawals were 92% legitimate AS-prefix bindings (based on Internet Route Registry) Announced 42 times more often than Good AS-prefix bindings False Positive Scheme No Record IRR Match No IRR Match AS-CRED 841 (13.7%) 975 (18.4%) 4323 (81.6%) IAR 4190 (10.7%) (74.4%) 8903 (25.6%) # Announcements and Withdrawals Hijack Behavior Analysis (Nov 1- Dec 30) Vs. IAR w.r.t. IRR AS Prefix NAW Duration Observed / Nov 2-10, / Dec 8 31, / Nov 1-27, 2009 Prominent Examples of Unnecessary Updates 11/4/09 ONR MURI Review 20

21 Behavior Analysis Overall Statistics Prefix Statistics Property Value Prefixes Observed SOAS Prefix Observed MOAS Prefix Observed 9750 AS Statistics Property Value AS Observed AS announcing Unnecessary Updates 1568 (4.6%) AS announcing Inaccurate Updates 693 (2.0%) AS exclusively announcing Unnecessary Updates 79 AS exclusively announcing Inaccurate Updates 89 AS-Prefix Binding Classification Property Value Behavior Incidences Statistics Total AS-Prefix Bindings AS-Prefix Bindings in Inaccurate Updates 6139 AS-Prefix Bindings in Unnecessary Updates Property Value Number of Inaccurate Updates Number of Unnecessary Updates /4/09 ONR MURI Review 21

Reputation Analysis AS-CRED Reputation characterizes the current perpetrators of invalid updates announcement: ZERO reputation is considered good behavior 693 ASes have RepU > 0 1568 ASes have RepB >

22 Reputation Analysis AS-CRED Reputation characterizes the current perpetrators of invalid updates announcement: ZERO reputation is considered good behavior 693 ASes have RepU > ASes have RepB > 0 90% of ASes with poor behavior have reputation close to ZERO ASes show repetitive behaviors Most ASes are good, very few ASes demonstrate repeated poor behaviors AS-CRED is sensitive in detecting even announcers of one-off invalid updates Reputation of ASes on Jan 1, 2010 Bottom 5 Ases by Reputation on Jan 1, /4/09 ONR MURI Review 22

23 Alert Consistency Given AS reputation, newly received updates received over Jan 1, 2010 Jan 10, 2010 are be evaluated Updates not seen in white-list classified as unnecessary or inaccurate based on reputation of announcing AS Sets IT - stores all inaccurate updates NN - stores all unnecessary updates We use 60 day consistency check window (Nov 20, 2009-Jan 20, 2010) to: Determine if the prediction was accurate Based on behavior analysis Classification Count Total NN set entries 3546 NN set entries classified in G set 71 (2.5%) NN set entries classified in B set 2591 (97.4%) NN set entries classified in U set 3 (0.1%) Total IT set entries 625 IT set entries classified in G set 7 (0.2%) IT set entries classified in B set 0 (0%) IT set entries classified in U set 618 (98.8%) 11/4/09 ONR MURI Review 23

24 Alert Accuracy For updates deemed inaccurate: AS-CRED detects prefix hijacking in two places: Behavior analysis to populate U set Alert generation when RepU is used to determine if update is a hijack Behavior Analysis shown to be accurate Compared the alert results with Internet Alert Registry and IRR (comparative ground-truth) 8 fold improvement in False Positives False Positive Hijack For updates deemed unnecessary : 88% of the associated AS-prefix binding found in IRR Average NAW 26 with the maximum 4492 Contrast for AS-prefix binding in Good set (Avg. NAW ~ 1) Scheme No Record IRR Match No IRR Match AS-CRED 112 (18.1%) 42(8.3%) 465 (91.7%) IAR 413 (11.2%) 2437(75.4%) 798 (24.6%) Alert Generation (Jan 1-Jan 10) vs. IAR w.r.t. IRR 11/4/09 ONR MURI Review 24

25 AS-CRED Service Screenshot Bottom 5 ASes by Reputation Past Reputation Trend for an AS Reputation-based Update Alert 11/4/09 ONR MURI Review 25

26 Conclusions & Future Work Conclusions: Repetitive Behavior: ASes which announce invalid updates do so repeatedly, which makes reputation a good metric to characterize them Large number of Unnecessary Updates: The number of unnecessary updates with poor stability far outnumber the inaccurate ones and those with illegal values Sensitivity: The reputation metric is very sensitive and can capture ASes which seldom announce invalid updates Improved Hijack Detection: The AS-behavior analysis and alert service are much more accurate than existing services (such as the IAR) for detecting prex hijacking Consistency of Analysis and Reputation: The reputation assigned to an AS is a representative and behavior predictive value. Future Work: Extend this work by including other properties for determining an AS' tendency to announce valid updates, such as presence of valley-free path and stable links in the AS-PATH. 11/4/09 ONR MURI Review 26

27 Thank You & Questions 11/4/09 ONR MURI Review 27 27

AS-CRED: Reputation and Alert Service for Inter- Domain Routing

University of Pennsylvania ScholarlyCommons Departmental Papers (CIS) Department of Computer & Information Science 9-2013 AS-CRED: Reputation and Alert Service for Inter- Domain Routing Jian Chang OpenX,